SID Attributes in an Access Token

Each user and group security identifier (SID) in an access token has a set of attributes that control how the system uses the SID in an access check. The following table lists the attributes that control access checking.

Attribute Description
SE_GROUP_ENABLED A SID with this attribute is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to one of the enabled SIDs in the access token. A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
SE_GROUP_USE_FOR_DENY_ONLY A SID with this attribute is a deny-only SID. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but it ignores access-allowed ACEs for the SID. If this attribute is set, the SE_GROUP_ENABLED attribute is not set and the SID cannot be reenabled.

To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use AdjustTokenGroups to disable the user SID of an access token.

To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call the CheckTokenMembership function.

To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID, nor can you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.

To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.